r26572: Fix warnings in the Python code.
[ab/samba.git/.git] / source4 / libcli / security / security_descriptor.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    security descriptror utility functions
5
6    Copyright (C) Andrew Tridgell                2004
7       
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "libcli/security/security.h"
24
25 /*
26   return a blank security descriptor (no owners, dacl or sacl)
27 */
28 struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
29 {
30         struct security_descriptor *sd;
31
32         sd = talloc(mem_ctx, struct security_descriptor);
33         if (!sd) {
34                 return NULL;
35         }
36
37         sd->revision = SD_REVISION;
38         /* we mark as self relative, even though it isn't while it remains
39            a pointer in memory because this simplifies the ndr code later.
40            All SDs that we store/emit are in fact SELF_RELATIVE
41         */
42         sd->type = SEC_DESC_SELF_RELATIVE;
43
44         sd->owner_sid = NULL;
45         sd->group_sid = NULL;
46         sd->sacl = NULL;
47         sd->dacl = NULL;
48
49         return sd;
50 }
51
52 static struct security_acl *security_acl_dup(TALLOC_CTX *mem_ctx,
53                                              const struct security_acl *oacl)
54 {
55         struct security_acl *nacl;
56         int i;
57
58         nacl = talloc (mem_ctx, struct security_acl);
59         if (nacl == NULL) {
60                 return NULL;
61         }
62
63         nacl->aces = (struct security_ace *)talloc_memdup (nacl, oacl->aces, sizeof(struct security_ace) * oacl->num_aces);
64         if ((nacl->aces == NULL) && (oacl->num_aces > 0)) {
65                 goto failed;
66         }
67
68         /* remapping array in trustee dom_sid from old acl to new acl */
69
70         for (i = 0; i < oacl->num_aces; i++) {
71                 nacl->aces[i].trustee.sub_auths = 
72                         (uint32_t *)talloc_memdup(nacl->aces, nacl->aces[i].trustee.sub_auths,
73                                       sizeof(uint32_t) * nacl->aces[i].trustee.num_auths);
74
75                 if ((nacl->aces[i].trustee.sub_auths == NULL) && (nacl->aces[i].trustee.num_auths > 0)) {
76                         goto failed;
77                 }
78         }
79
80         nacl->revision = oacl->revision;
81         nacl->size = oacl->size;
82         nacl->num_aces = oacl->num_aces;
83         
84         return nacl;
85
86  failed:
87         talloc_free (nacl);
88         return NULL;
89         
90 }
91
92 /* 
93    talloc and copy a security descriptor
94  */
95 struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, 
96                                                      const struct security_descriptor *osd)
97 {
98         struct security_descriptor *nsd;
99
100         nsd = talloc_zero(mem_ctx, struct security_descriptor);
101         if (!nsd) {
102                 return NULL;
103         }
104
105         if (osd->owner_sid) {
106                 nsd->owner_sid = dom_sid_dup(nsd, osd->owner_sid);
107                 if (nsd->owner_sid == NULL) {
108                         goto failed;
109                 }
110         }
111         
112         if (osd->group_sid) {
113                 nsd->group_sid = dom_sid_dup(nsd, osd->group_sid);
114                 if (nsd->group_sid == NULL) {
115                         goto failed;
116                 }
117         }
118
119         if (osd->sacl) {
120                 nsd->sacl = security_acl_dup(nsd, osd->sacl);
121                 if (nsd->sacl == NULL) {
122                         goto failed;
123                 }
124         }
125
126         if (osd->dacl) {
127                 nsd->dacl = security_acl_dup(nsd, osd->dacl);
128                 if (nsd->dacl == NULL) {
129                         goto failed;
130                 }
131         }
132
133         nsd->revision = osd->revision;
134         nsd->type = osd->type;
135
136         return nsd;
137
138  failed:
139         talloc_free(nsd);
140
141         return NULL;
142 }
143
144 /*
145   add an ACE to an ACL of a security_descriptor
146 */
147
148 static NTSTATUS security_descriptor_acl_add(struct security_descriptor *sd,
149                                             bool add_to_sacl,
150                                             const struct security_ace *ace)
151 {
152         struct security_acl *acl = NULL;
153
154         if (add_to_sacl) {
155                 acl = sd->sacl;
156         } else {
157                 acl = sd->dacl;
158         }
159
160         if (acl == NULL) {
161                 acl = talloc(sd, struct security_acl);
162                 if (acl == NULL) {
163                         return NT_STATUS_NO_MEMORY;
164                 }
165                 acl->revision = SECURITY_ACL_REVISION_NT4;
166                 acl->size     = 0;
167                 acl->num_aces = 0;
168                 acl->aces     = NULL;
169         }
170
171         acl->aces = talloc_realloc(acl, acl->aces,
172                                    struct security_ace, acl->num_aces+1);
173         if (acl->aces == NULL) {
174                 return NT_STATUS_NO_MEMORY;
175         }
176
177         acl->aces[acl->num_aces] = *ace;
178         acl->aces[acl->num_aces].trustee.sub_auths =
179                 (uint32_t *)talloc_memdup(acl->aces,
180                               acl->aces[acl->num_aces].trustee.sub_auths,
181                               sizeof(uint32_t) *
182                               acl->aces[acl->num_aces].trustee.num_auths);
183         if (acl->aces[acl->num_aces].trustee.sub_auths == NULL) {
184                 return NT_STATUS_NO_MEMORY;
185         }
186
187         switch (acl->aces[acl->num_aces].type) {
188         case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
189         case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
190         case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
191         case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
192                 acl->revision = SECURITY_ACL_REVISION_ADS;
193                 break;
194         default:
195                 break;
196         }
197
198         acl->num_aces++;
199
200         if (add_to_sacl) {
201                 sd->sacl = acl;
202                 sd->type |= SEC_DESC_SACL_PRESENT;
203         } else {
204                 sd->dacl = acl;
205                 sd->type |= SEC_DESC_DACL_PRESENT;
206         }
207
208         return NT_STATUS_OK;
209 }
210
211 /*
212   add an ACE to the SACL of a security_descriptor
213 */
214
215 NTSTATUS security_descriptor_sacl_add(struct security_descriptor *sd,
216                                       const struct security_ace *ace)
217 {
218         return security_descriptor_acl_add(sd, true, ace);
219 }
220
221 /*
222   add an ACE to the DACL of a security_descriptor
223 */
224
225 NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
226                                       const struct security_ace *ace)
227 {
228         return security_descriptor_acl_add(sd, false, ace);
229 }
230
231 /*
232   delete the ACE corresponding to the given trustee in an ACL of a
233   security_descriptor
234 */
235
236 static NTSTATUS security_descriptor_acl_del(struct security_descriptor *sd,
237                                             bool sacl_del,
238                                             const struct dom_sid *trustee)
239 {
240         int i;
241         bool found = false;
242         struct security_acl *acl = NULL;
243
244         if (sacl_del) {
245                 acl = sd->sacl;
246         } else {
247                 acl = sd->dacl;
248         }
249
250         if (acl == NULL) {
251                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
252         }
253
254         /* there can be multiple ace's for one trustee */
255         for (i=0;i<acl->num_aces;i++) {
256                 if (dom_sid_equal(trustee, &acl->aces[i].trustee)) {
257                         memmove(&acl->aces[i], &acl->aces[i+1],
258                                 sizeof(acl->aces[i]) * (acl->num_aces - (i+1)));
259                         acl->num_aces--;
260                         if (acl->num_aces == 0) {
261                                 acl->aces = NULL;
262                         }
263                         found = true;
264                 }
265         }
266
267         if (!found) {
268                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
269         }
270
271         acl->revision = SECURITY_ACL_REVISION_NT4;
272
273         for (i=0;i<acl->num_aces;i++) {
274                 switch (acl->aces[i].type) {
275                 case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
276                 case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
277                 case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT:
278                 case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT:
279                         acl->revision = SECURITY_ACL_REVISION_ADS;
280                         return NT_STATUS_OK;
281                 default:
282                         break; /* only for the switch statement */
283                 }
284         }
285
286         return NT_STATUS_OK;
287 }
288
289 /*
290   delete the ACE corresponding to the given trustee in the DACL of a
291   security_descriptor
292 */
293
294 NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
295                                       const struct dom_sid *trustee)
296 {
297         return security_descriptor_acl_del(sd, false, trustee);
298 }
299
300 /*
301   delete the ACE corresponding to the given trustee in the SACL of a
302   security_descriptor
303 */
304
305 NTSTATUS security_descriptor_sacl_del(struct security_descriptor *sd,
306                                       const struct dom_sid *trustee)
307 {
308         return security_descriptor_acl_del(sd, true, trustee);
309 }
310
311 /*
312   compare two security ace structures
313 */
314 bool security_ace_equal(const struct security_ace *ace1, 
315                         const struct security_ace *ace2)
316 {
317         if (ace1 == ace2) return true;
318         if (!ace1 || !ace2) return false;
319         if (ace1->type != ace2->type) return false;
320         if (ace1->flags != ace2->flags) return false;
321         if (ace1->access_mask != ace2->access_mask) return false;
322         if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return false;
323
324         return true;    
325 }
326
327
328 /*
329   compare two security acl structures
330 */
331 bool security_acl_equal(const struct security_acl *acl1, 
332                         const struct security_acl *acl2)
333 {
334         int i;
335
336         if (acl1 == acl2) return true;
337         if (!acl1 || !acl2) return false;
338         if (acl1->revision != acl2->revision) return false;
339         if (acl1->num_aces != acl2->num_aces) return false;
340
341         for (i=0;i<acl1->num_aces;i++) {
342                 if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return false;
343         }
344         return true;    
345 }
346
347 /*
348   compare two security descriptors.
349 */
350 bool security_descriptor_equal(const struct security_descriptor *sd1, 
351                                const struct security_descriptor *sd2)
352 {
353         if (sd1 == sd2) return true;
354         if (!sd1 || !sd2) return false;
355         if (sd1->revision != sd2->revision) return false;
356         if (sd1->type != sd2->type) return false;
357
358         if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
359         if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
360         if (!security_acl_equal(sd1->sacl, sd2->sacl))      return false;
361         if (!security_acl_equal(sd1->dacl, sd2->dacl))      return false;
362
363         return true;    
364 }
365
366 /*
367   compare two security descriptors, but allow certain (missing) parts
368   to be masked out of the comparison
369 */
370 bool security_descriptor_mask_equal(const struct security_descriptor *sd1, 
371                                     const struct security_descriptor *sd2, 
372                                     uint32_t mask)
373 {
374         if (sd1 == sd2) return true;
375         if (!sd1 || !sd2) return false;
376         if (sd1->revision != sd2->revision) return false;
377         if ((sd1->type & mask) != (sd2->type & mask)) return false;
378
379         if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return false;
380         if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return false;
381         if ((mask & SEC_DESC_DACL_PRESENT) && !security_acl_equal(sd1->dacl, sd2->dacl))      return false;
382         if ((mask & SEC_DESC_SACL_PRESENT) && !security_acl_equal(sd1->sacl, sd2->sacl))      return false;
383
384         return true;    
385 }
386
387
388 static struct security_descriptor *security_descriptor_appendv(struct security_descriptor *sd,
389                                                                bool add_ace_to_sacl,
390                                                                va_list ap)
391 {
392         const char *sidstr;
393
394         while ((sidstr = va_arg(ap, const char *))) {
395                 struct dom_sid *sid;
396                 struct security_ace *ace = talloc(sd, struct security_ace);
397                 NTSTATUS status;
398
399                 if (ace == NULL) {
400                         talloc_free(sd);
401                         return NULL;
402                 }
403                 ace->type = va_arg(ap, unsigned int);
404                 ace->access_mask = va_arg(ap, unsigned int);
405                 ace->flags = va_arg(ap, unsigned int);
406                 sid = dom_sid_parse_talloc(ace, sidstr);
407                 if (sid == NULL) {
408                         talloc_free(sd);
409                         return NULL;
410                 }
411                 ace->trustee = *sid;
412                 if (add_ace_to_sacl) {
413                         status = security_descriptor_sacl_add(sd, ace);
414                 } else {
415                         status = security_descriptor_dacl_add(sd, ace);
416                 }
417                 /* TODO: check: would talloc_free(ace) here be correct? */
418                 if (!NT_STATUS_IS_OK(status)) {
419                         talloc_free(sd);
420                         return NULL;
421                 }
422         }
423
424         return sd;
425 }
426
427 struct security_descriptor *security_descriptor_append(struct security_descriptor *sd,
428                                                        ...)
429 {
430         va_list ap;
431
432         va_start(ap, sd);
433         sd = security_descriptor_appendv(sd, false, ap);
434         va_end(ap);
435
436         return sd;
437 }
438
439 static struct security_descriptor *security_descriptor_createv(TALLOC_CTX *mem_ctx,
440                                                                uint16_t sd_type,
441                                                                const char *owner_sid,
442                                                                const char *group_sid,
443                                                                bool add_ace_to_sacl,
444                                                                va_list ap)
445 {
446         struct security_descriptor *sd;
447
448         sd = security_descriptor_initialise(mem_ctx);
449         if (sd == NULL) {
450                 return NULL;
451         }
452
453         sd->type |= sd_type;
454
455         if (owner_sid) {
456                 sd->owner_sid = dom_sid_parse_talloc(sd, owner_sid);
457                 if (sd->owner_sid == NULL) {
458                         talloc_free(sd);
459                         return NULL;
460                 }
461         }
462         if (group_sid) {
463                 sd->group_sid = dom_sid_parse_talloc(sd, group_sid);
464                 if (sd->group_sid == NULL) {
465                         talloc_free(sd);
466                         return NULL;
467                 }
468         }
469
470         return security_descriptor_appendv(sd, add_ace_to_sacl, ap);
471 }
472
473 /*
474   create a security descriptor using string SIDs. This is used by the
475   torture code to allow the easy creation of complex ACLs
476   This is a varargs function. The list of DACL ACEs ends with a NULL sid.
477
478   Each ACE contains a set of 4 parameters:
479   SID, ACCESS_TYPE, MASK, FLAGS
480
481   a typical call would be:
482
483     sd = security_descriptor_dacl_create(mem_ctx,
484                                          sd_type_flags,
485                                          mysid,
486                                          mygroup,
487                                          SID_NT_AUTHENTICATED_USERS,
488                                          SEC_ACE_TYPE_ACCESS_ALLOWED,
489                                          SEC_FILE_ALL,
490                                          SEC_ACE_FLAG_OBJECT_INHERIT,
491                                          NULL);
492   that would create a sd with one DACL ACE
493 */
494
495 struct security_descriptor *security_descriptor_dacl_create(TALLOC_CTX *mem_ctx,
496                                                             uint16_t sd_type,
497                                                             const char *owner_sid,
498                                                             const char *group_sid,
499                                                             ...)
500 {
501         struct security_descriptor *sd = NULL;
502         va_list ap;
503         va_start(ap, group_sid);
504         sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
505                                          group_sid, false, ap);
506         va_end(ap);
507
508         return sd;
509 }
510
511 struct security_descriptor *security_descriptor_sacl_create(TALLOC_CTX *mem_ctx,
512                                                             uint16_t sd_type,
513                                                             const char *owner_sid,
514                                                             const char *group_sid,
515                                                             ...)
516 {
517         struct security_descriptor *sd = NULL;
518         va_list ap;
519         va_start(ap, group_sid);
520         sd = security_descriptor_createv(mem_ctx, sd_type, owner_sid,
521                                          group_sid, true, ap);
522         va_end(ap);
523
524         return sd;
525 }
526
527 struct security_ace *security_ace_create(TALLOC_CTX *mem_ctx,
528                                          const char *sid_str,
529                                          enum security_ace_type type,
530                                          uint32_t access_mask,
531                                          uint8_t flags)
532
533 {
534         struct dom_sid *sid;
535         struct security_ace *ace;
536
537         ace = talloc_zero(mem_ctx, struct security_ace);
538         if (ace == NULL) {
539                 return NULL;
540         }
541
542         sid = dom_sid_parse_talloc(ace, sid_str);
543         if (sid == NULL) {
544                 talloc_free(ace);
545                 return NULL;
546         }
547
548         ace->trustee = *sid;
549         ace->type = type;
550         ace->access_mask = access_mask;
551         ace->flags = flags;
552
553         return ace;
554 }